kernel panic - stack-protector: kernel stack is corrupted in: f87aca93
Dave Chinner
david at fromorbit.com
Mon Feb 28 20:57:26 CST 2011
On Mon, Feb 28, 2011 at 07:32:53PM -0600, Eric Sandeen wrote:
> On 2/28/11 7:03 PM, Jeffrey Hundstad wrote:
> > Sadly, I didn't have the vmlinux file around anymore. I'll be glad to recreate it when I get in tomorrow. However, I have revered commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba and the problem seems to have vanished. I'm guessing the stack at this point is a little to fragile for a memset. The patch is:
>
> Ok, no worries, if the below commit is the culprit for sure, that's enough...
>
> So, whoopsies.
>
> STATIC int
> xfs_ioc_fsgeometry_v1(
> xfs_mount_t *mp,
> void __user *arg)
> {
> xfs_fsop_geom_v1_t fsgeo;
> int error;
>
> error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3);
>
> what we really have is an xfs_fsop_geom_v1_t, but cast to a xfs_fsop_geom_t.
>
> xfs_fs_geometry() zeroes it out to the tune of sizeof (xfs_fsop_geom_t)
>
> the latter is bigger, with the addition of
>
> __u32 logsunit;
>
> so we overwrite memory that's not ours. :( Seems like we should zero
> in the callers, when we know how much is really on the stack. I'll follow
> up with a patch; pity this one was fast-tracked for security, I think :(
Fmeh - the differences in structure size, alignment and padding on
different platforms was why I suggested that memset() is a
preferable fix to just setting a single field. I didn't look any
further at the patch before it was committed so I didn't catch the
fact that it was busted in the first place...
Just another example of Occam's Eraser(*) in action, I'd say.
Cheers,
Dave
(*) From the Fortune Cookie database:
OCCAM'S ERASER:
The philosophical principle that even the simplest solution is
bound to have something wrong with it.
--
Dave Chinner
david at fromorbit.com
More information about the xfs
mailing list